Quality Audit

Internal Audits are one of the fundamentals of any management system. The Quality Audit means checking that you are doing what you say you do in your procedures, and that you are meeting the requirements of the work effectively.

This is not about a review of financial systems. They are outside the scope of management systems. The International Organization for Standardization (ISO) requires the use of Auditing of your operation and the Management System itself. That sounds simple. However, to ensure your work processes really meet the needs of your customer, your audits need to be thorough and regular for all parts of your management system. After all, if your work drifts away from what you promise your customer, you will lose business. So, the Audit helps keep you on track and doing things correctly.

An Audit examines the work processes, you are using, against your requirements for the works and the procedures you have documented. The requirements that your customer needs you to deliver, and other legal reponsibilities, should determine your work procedures. That is true, whether for a product or a service. The procedures are the step-by-step activities you use to meet those requirements. Ultimately, they are your Best Practice.

Audits expose work-process problems and inefficiencies

The documentation you have in your Management System (MS) describe the work processes you follow. To be effective, an Audit must look at each of those steps your staff follow to complete the work. Then, those steps need checking back against the procedure documentation. If your documents perfectly describe what your staff are doing, and the work meets requirements effectively, that is good. It means you are doing, what you say, you are doing.

If your staff are doing something un-documented, or that does not meet the requirements, the Audit should show that up. Checking what you do against your procedures requires close examination. Each stage of the actual work must match the documented procedures and the requirements.

If there is a mismatch between the work procedures, documentation and the requirements, there should be an review to identify what is your Best Practice. Then there are three cases to consider…

• Documentation does not match the work being done. If this is the case, the documentation is incorrect and needs a change or update to properly describe what your staff does to meet the requirements.
• Work process matches the documented procedures, but they do not meet the requirements. In this case, you are doing something wrong. Take corrective action to make sure your processes change to meet the requirements. Then you must update the documents to describe your new work process.
• Work process does not match the documentation but does meet the requirements. You may need to update the documents to match your work process.

Alternatively, explore different ways to do the work and still meet the requirements. This is a good opportunity to look for more efficient or cost-effective work methods or processes. Either way, you must update the documented procedures.

Audits vary – what do you need to examine?

There are three types of Internal Audit – each looks at specific parts of the management system. They are…

• The Product or Service Audit– an examination of a product or service to see if it meets the requirements. Requirements vary, they could be a product specification, a performance standard, a customer or legal requirement – or all of these.
• A Process Audit – This determines if the work processes are correct to meet the requirements and standards set. This audit examines the documentation and then must determine if the work processes match the written description. A process audit must check conformance to a range of parameters defined in the procedure. Examples may include accuracy, time, pressure, materials, mixtures and work order. However, a process audit could also go wider. If so, it may include resources, materials machinery, documentation, staffing and training or more.
• System Audit– This is conducted to examine the MS itself. The aim is to check that the system is working according to the specification for the management system itself. Such an audit can include any aspect of the system set out in the Management Standard. A system audit will take a detailed look at, for example, system implementation and decision-making about corrective actions. Or, it may examine any other aspect of the system. Thus, the audit can penetrate any part of the system where a problem is exposed.

The internal Audit Purpose

Audits tend to fall into categories that match the structure of the Management System. For example, audits often focus on a particular paragraph of the management system specification. Or an audit could focus on one department or process in your business. For example, you might examine the corrective actions procedure for the Quality Department. Also, audits often aim solely to see if there are ways you can improve your system.

Another type of audit is the ‘follow up’. This aims at checking that previous corrective actions have rectified problems or made the changes required by a previous audit. Follow-ups are good management practice in any organisation. If you are using formal audits, it helps legitimise the process. It also checks that things done regularly and to a good standard.

Independence is essential

An audit must be conducted so it is independent of the work process. You cannot audit yourself. Of course, your boss cannot audit his own department. An effective audit is best carried out when the auditor has no stake in the work process. Remember, auditors have to be incorruptible and not personally accountable for the outcomes of the process.

So, who carries out an audit?

There are three basic types of audit. The different audits are…

• An Internal Audit (First-Party Audit): Carried out inside the organisation by an auditor and assistants from within the organisation. Internal Auditors may be your company Quality Manager, or someone specially trained for the work. However, they are never directly associated with the processes, they are auditing. They must remain impartial. Internal Audits represent the first level at which the organisation checks on its own system and work processes.
• An External Audit(Second-Party Audit): External Auditors visit from outside your organisation. They could be a supplier, a customer or an external organisation. In the case of customer or supplier lead audits, the relationship with your organisation is not necessarily impartial. This is because the external auditors have a stake in ensuring your work processes are consistent with their own standards, processes and requirements.
• Third-Party Audit (Independent Audit): Third parties carry out an independent audit. They are separate from stakeholders like suppliers and customers. The aim is usually for certification purposes for a Management Standard. However, they may also involve various specialised system consultations and external assistance with decision-making, system improvements or changes.

Why is my organisation doing this?

In a ‘Quality’ organisation, the managers work in a structured way. Management system audits help to make sure the work structure is known to everyone. Internal Audits follow a clear, logical and organised format. It also helps recognition of work problems and how to resolve them.

Preparing an audit?

Every Internal Audit requires preparation. Scheduling is important as auditors have responsibility to make sure that the relevant people are available, and with the relevant permissions. The lead auditor must also produce a plan for the audit. The plan details the scope of the audit, including the detail of the examination of the work process. Most important is that the auditor, lead auditor and the audit department or organisation are well briefed with the scope of the audit and aware of the relevant dates, times and access.

The audit itself

The audit involves a variety of activities. Gathering data, evidence and samples is central to the process. The auditors are looking for improvements and non-conformance to the management system, as well as non-compliance to client or specified requirements.

Auditors collect evidence of the records and activities observed as proof of the current work standards. This compares to past audit results and shows performance improvements, or decline. The auditors gather evidence of improvement too. Positive reinforcement is a motivator. So, it helps people to see the positive side of the management system.

At the end of an audit, there is a feedback meeting to the involved parties. Audits are not secretive. In fact, they should create a fruitful exchange of positive ideas for improvement.

The internal audit meeting

The Internal Audit meeting takes place at the end of the audit. The auditor identifies the findings and presents evidence. The report gives managers an improvement tool to assist them with corrective actions. Of course, corrective actions and setting goals for improvement are primary management functions. So, the feedback from the audit meeting is a significant factor in positively improving the business.

Follow up

Audits extend beyond the data gathering and audit report. All identified and agreed corrective actions or improvements must documented and put in place. Other changes also need implementing.

A follow-up check or audit should be conducted to ensure the actions are effective. Finally, significant investment, long time scales, or many changes will involve further audits.

Auditors nose…

We have seen the importance of auditor independence. Normally, Internal Audits have a defined structure or scope. Nevertheless, an auditor is free to examine any related aspect of the management system and work processes. Sometimes, that means following leads or evidence outside the audit plan or scope. Auditors are normally encouraged to follow these leads. Such investigations help identify the wider impact of non-conformance or work performance where they affect the MS.

Auditors have to be aware of time and the audit plan. So, they can make special recommendations in their report at the audit meeting. These include evidence and investigative details from the audit. Generally, they follow these approaches…

• A conclusion about an issue outside the audit scope but investigated anyway.
• Recommendations for a further audit where an issue is beyond the scope or time allotted.
• An order for a corrective action covering any non-conformance for an out-of-scope issue.
• A report on the out-of-scope finding and agreement on follow-up another time.

Corrective actions after internal audits

When the auditor comes across a non-conformance, there is a need for a corrective action. A statement of non-conformances or issues is a common outcome of an Internal Audit. It directs the management’s attention at the identified problems, opportunities for improvement, or a need to change. It also points out changes needed to ensure the documentation and the current work actions match. Of course, determining and implementing the Corrective actions are a management task. So, management should make sure that procedures and work are properly improved.

Ultimately…

Auditors have no power to take actions directly. Instead, they rely on the managers to make changes and request the follow-ups. However, auditors provide the organisation with problem finding skills and ways to define areas for improvement. Often, the audit will verify that a past corrective action had a positive outcome. So, internal audits can also prove previous  measures are effective.

Sometimes, audits have on-going implications well beyond the original audit. However, you should welcome them. Ultimately, they contribute to continuous improvement within the organisation.

MAKE YOUR SYSTEMS WORK For you

Audits are an essential part of your Management System. They provide a way for you to test your management system for consistency, improvement and resilience. Further, they provide a way for you to be sure that things are working right and working for the future improvement of your business.

CHARTER4 can help you achieve this state of continual improvement. However, we go an extra mile. We work to a solid, and important principle. While we want you to gain your certification, we also want you to get a return on your investment in ISO Standards. In fact, we say, “Improve your business, rather than just comply”. By that, we mean that we focus our efforts on giving you a system that has real business benefits – not just another certificate.

If you would like to know more about our unique approach we can explain more. Simply press one of the buttons below.